Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

First time accepted submitter Gavrielkay writes "We seem to have attracted the attention of some less than savory types in online gaming and now find our home network relentlessly DoSed. We bought a new router that doesn't fall over quite so easily, but it still overwhelms our poor little DSL connection and prevents us web browsing and watching Netflix occasionally. What's worse is that it seems to find us even if we change the MAC address and IP address of the router. Often the router logs IPs from Russia or Korea in these attacks (no packet logging, just a blanket 'DoS attack from...' in the log. But more often lately I've noticed the IPs trace back to Microsoft or Amazon domains. Are they spoofing those IPs? Did they sign us up for something weird there? And how do they find us with a new MAC address and IP within minutes? We're looking for a way to hide from these idiots that doesn't involve going to the Feds, although that is what our ISP suggested. Piles of money for a commercial grade router is out of the question. We are running antivirus and anti-malware programs and haven't seen any evidence of hacked computers so far."

Everyone is being scanned at every second by bots, do you have any real evidence you're being DoSed? It could be a crappy connection. Seeing a modem light flashing a lot does not mean you're being packeted.

I have a speed test site provided by my ISP, which usually runs fine, but when the "attacks" are in full swing my download speed drops to 1 or 2 mbps (should be around 16) and I can't browse the web or watch anything on Netflix. I'm not saying I'm absolutely certain that my Netgear router isn't over-reporting, but there is something going on. And now, rather than being only when we're gaming online and getting threatened by folks, it's constant. I can't figure out what we're being tracked by though. What is there besides MAC address and IP address to latch on to? Something maybe that windows does that we've been "signed up" for? I just don't know. I'm a software geek, not a network guru sadly.

Put DMZ options on the router to send all unsolicited traffic to that one PC's IP.

Watch what's being used and where it's coming from and where it's going.

To be honest, out of all the people who've ever come to me with a similar problem it's either a) a crap router, b) a crap ISP, c) Something on the machine/network talking OUT that's killing the connection (nothing external at all, e.g. P2P apps etc.), d) wireless connections being affected.

If you are genuinely changing your EXTERNAL IP (your internals mean nothing, your MAC means nothing), and it follows you that quickly, then YOU are broadcasting your location (or it's something internal to the network and nothing to do with packets from the Internet at all).

Do some proper diagnosis. That means rather than guessing at something and trying things that have NO correlation (MAC addresses), that you follow Sherlock Holmes - when you have eliminated the possible, whatever remains must be the truth. Go through things and eliminate one at a time.

Put ONE device on the router. Change the router. Change the way you connect to the router. Look what's going out and coming in rather than guessing that you're being DDOS'd (I have yet to witness an actual DDOS in 15 years of network management). Or just talk to your damn ISP (who, almost certainly, will tell you there's nothing DDOS'ing you at all).

If you're getting a flood of recorded packets, you can see what they are, where they come from, and what prompts them and even how they have "found" you again. If you're just stabbing at solutions in the dark, then you're no better off at all.

And when you find out that this almost certainly is nothing to do with a deliberate external DDOS, come back here and apologise for wasting our time.

and it follows you that quickly, then YOU are broadcasting your location

Exactly, it doesn't even have to be sophisticated, setup Dynamic DNS on router/internal PC and it'll play follow the leader for years. "looks like http://imaspawncamper.noobstoddos.dynamicdns.moc/ [dynamicdns.moc] is back up on nother MAC and IP lulz"

You are perfectly right.That guy has no clue what he was asking, he has no idea what an MAC address actually is and for what it is used, likely the same for IP addresses.If that guy was under a DOS or DDOS attack on a DSL line he would likely not get a single bit downloaded (yeah exagerating).

The modem side won't have an IP or MAC, it's a layer 1 device, but since it's a DSL router (layer 3 is for routers, you know, IP layer?) it will have both. You know, so the computer can chat with the router at x.x.x.1 or be routed to the other devices in the network by IP? If you have a combined device, and don't have enough access to it's controls to change it's MAC, then get it into a simple Modem mode (sometimes called bridge mode) and hook up a single router that you do control as the first step in the

Better yet, put a managed switch which allows port mirroring (or a hub if you are old school) in front of your router and run wireshark on the mirrored port going into the router. That way you will capture any package going to and from the router. Even packages stopped by and sent from the router.

This is so right, I wish I had mod points. If it really is a DoS attack, and you need to find out how they get your IP, then this is the only way. It could be a trojan checking in on IRC, or it could just be some dodgy "cloud service" from a bogus company. If someone has your gmail password they could even look at the IP log of where it was accessed from (this works the other way too)

I keep a hub around for exactly this purpose. If you don't have a hub or a managed switch, there is the option of a PC with t

I am sure to a reasonable degree and working on getting more sure. We've got anti-virus (BitDefender) and anti malware (malwarebytes) running. I'm going to re-test turning all machines off and rebooting the router to see what happens. Do you know if there is some kind of windows phone home or amazon cloud account nonsense (we don't actually have an amazon cloud acct) that would keep identifying us to those services and attract attention, but not be scan-able by malware detection?

The advice about recording transmissions sounds like good advice, and I've heard WireShark praised before for that kind of diagnosis.

If you do that, then you can identify what signals are coming from where. If it's a DDOS, of course, there will be a wide variety of different TCP addresses, but THAT is informative, too. Not directly helpful, but good evidence as to what is going on.

Don't be too sure that your anti-virus and anti-malware tools actually catch all viruses/malware. They are generally obsolete at the time they are released. They catch the ones known about at the time.

If the attacks are quite frequent, try booting off a live CD/DVD, say a recent KNOPPIX. (I think that has diagnostic tools. They don't all, so you may need a specialized distro.) That way you can be sure that nothing in the local software is causing the problem. And THEN record the results onto a USB stick.

P.S.: This is from theory. I've never actually experienced your problem.

P.P.S.: Did you release your TCP connection? I don't know how to do that under MSWind, which I'm guessing you are using, because you talk about being a gamer. But replacing your router won't automatically do that. It's probably done somewhere in network configuration.

The problem with one device running wireshark and other devices all connected to a router is that, by virtue of IP, the wireshark running box won't see the traffic sent to the other PCs. You need to either set up a good Knoppix or Kali Linux boot disc device to act as a pass through, or get a cheap hub, or learn about ARP poisoning to get the traffic to first go to the monitoring box, then get passed along to the target device.

Ideally, Your network would be a very simple DSL modem, not a modem+router. Just a modem or your router reconfigured to bridge mode. Then a hub, yeah, the dumb collision prone boxes are very useful still. Uplink of the hub goes to the modem, and your sniffing box and a good NAT+firewall router get connected to it. Then, behind that NAT and firewall goes your computer. Against, ideally, the sniffing computer will not have requested an IP address, will not even have put it's ethernet port into anything but a passive state. Then you can start up wireshark. After that, start up your machine you think is attracting the attacks. You can sort wireshark traffic by incoming and outbound. And if changing the externally visible IP hasn't helped, you want to look at outbound to see what you are sending to who to get yourself noticed.

I have done exactly this, and it isn't fun or easy, but it did help pass a few Cisco network tests later. Once you get into packet sniffing, and ARP poisoning switches, and packet manipulation of those ARP poisoned packets, you can do all kinds of interesting things. Upsidedownternet doesn't have to be a proxy, it can be done with any switched network if done right. And then, after you graduate from wired networks to sniffing on wireless (and collecting large logs to break keys, or doing deauth attacks on your own gear to see how your modem+router and PC stand up) then you can start in on a whole world of fun and crazy bit-level cleverness.

disclaimer: I've cracked WEP back in the PCMCIA days of having a high speed 802.11b card (custom firmware to go into monitor mode) but it was on my own network or with permission (parents wanted to know how long it would take for a neighbor to borrow their wifi, I remember leaving the linux box running about an hour and a half, but sibling had lots of traffic going). WPA deauth attacks are the same way, don't screw with other people without permission. But once you have permission, go wild; showing my younger sibling their AIM chats when they thought 'the network is encrypted, you can't see me' was a hilarious way to spend my first summer home from college.

I have a speed test site provided by my ISP, which usually runs fine, but when the "attacks" are in full swing my download speed drops to 1 or 2 mbps (should be around 16)

Your tiny DSL would be overwhelmed by even the smallest DoS attack imaginable. You would not be getting 1 or 2 Mbps - you would be getting absolutely nothing through at all.

It is more likely that your DSL is having trouble delivering the usual 16 Mbps due to electrical interference. Your ISP may be able to fix it by lowering your speed, which sucks, but it might be more stable. Or there might be nothing that can be done unless you can locate the source of the noise. Trouble is that the source might not anyw

The ISP's speed test should be fine for judging the connection between him and the ISP. If he's actually being DDOSed, then that should slow down the connection to his ISP (during the attack). OTOH, if it's the ISP that has the problem, then you're right, that might well not reveal it. So both tests are useful, for showing different information.

We game on Steam but we've tried being logged off and getting a new IP address and still the "attacks" come. We're running bitdefender and malwarebytes. We've got PnP turned off and the firewall configured to allow only what we need for gaming a

You guys clearly are not even remotely familiar with the landscape of online gaming today.DoS and DDoS attacks are so common in gaming today that it's nigh-unbelievable. Minecraft especially, there are groups of skids with booters, who purchase subscriptions to "stresser services" (EXTREMELY common), and even some I've seen who have their own botnets.

I'm talking about 12-16 year olds I might add.In most online gaming my personal experience is 3-5% of them have a stresser service they've bought or booter. Ou

Most folks that'd DDOS you aren't that sophisticated, and if they are there's really nothing you can do until someone decides to focus their malice elsewhere.

The best bet for the poster is mitigation. Talk to the ISP, let them know the situation, and start feeding them a list of IPs to block at their head-end. While you as a client only have X bandwidth before it overwhelms your DSL, they have X^n and are usually amenable to blocking malicious traffic before it screws-up all the clients in an area.

But, to repeat what's already been said. If the attack's following you to new IPs your only bet is:- Factory reset the router, then plug it (and only it) in.- Have it get a fresh IP- Wait 30 minutes and see if an attack starts- Plug-in a known safe device to check the router. Fixed devices like an iPhone or Android phone should work (unlikely that's what's compromised).- Use the device to check the router and see what kind of traffic is happening- Slowly start reconnecting your devices, one at a time, waiting a safe amount of time in between each.

If the router starts getting hammered without anything connected you could have a compromised router. Just last year thousands of routers were compromised that had too simple a password and remote access enabled.

If it starts after a certain device is plugged-in, time to track-down the culprit or (better) format the compromised machine. You're probably safe 90% of the time, but one a machine is rooted it's a good policy to never trust it.

If the router is getting traffic and you know it's safe, then you might be seeing an attack on your network segment. Only your ISP can help.

It is far more likely that he has a compromised internal network and his dsl is being overwhelmed by outbound spam, not an inbound DoS, especially since 'they' find him within minutes of an IP switch. Invest in a good virus scanner dude, and seriously consider a wipe and reload of every system.

We use BitDefender and I did recently reinstall windows. I can ask my husband to do the same, but we've scanned our computers and found nothing. More telling, we see the "attacks" in the logs even when the computers are off. Unless there's a way to infect a Vonage VOIP modem or DirecTV internet thingy (it uses it for on-demand stuff) then I don't think it's us.

More telling, we see the "attacks" in the logs even when the computers are off.

Can you spot any pattern in the IPs and times they appear?

Also, this is a long shot, but are you hosting any web pages? Big companies unleashing irresponsible crawlers can effectively DOS you without meaning to.

Further, and I know this isn't a comfortable question, but is it possible that someone in the house is logging on to certain gaming servers, and this is bringing about the attacks? If so, is there a way to get them to log

Agreed. OP should check the traffic on his own network before jumping to conclusions. As far as congestion goes, if there's a bot on his network pumping out huge amounts of outbound traffic, then that'll stuff his connection just as surely as if some script kiddie was DDoSing him.

The DSL router itself could be compromised as well. I'd start by booting up a Linux live CD, disconnecting everything else from the network and changing the external IP address again. Then I'd wait to see if they find you again. If they don't, start plugging everything back one device at a time, again checking if they find you after plugging the last device in.

I can try that. We have tried rebooting with everything turned off and still seen entries in the logs, but I'm also not sure what criteria my router uses to determine what's an attack and whether normal sniffing by the ISP to see who's actually connected might also trigger it.

It's also possible, though maybe less likely that if the game they are playing creates P2P connections between the players for say chat, then they could be revealing their IP that way. Like Freshly Exhumed said above though, it all just guesses without some evidence.

It happens even when our computers are turned off. I recently reinstalled Windows which had no effect. We both run BitDefender and malwarebytes software. I've got the firewalls rules in the router turned up to only allow certain ports. What else can I check to see if it's us as opposed to outside traffic?

You have make sure everything is off, and *then* get a new WAN ip.
Once any of the machines behind the router are up, your WAN ip
will likely be exposed immediately, and turning off the computers
*after* that is like closing the barn door after the horses have left.
If it still occurs with everything off, and keeping them off after
restarting the router with a new WAN ip, then two things:

1) your router is owned and/or sucks.
2) you are being port scanned constantly, and your router is
not behaving well (

We did try turning everything off and then rebooting the router, but I'm going to do that test again. I reinstalled windows last weekend, but my husband hasn't yet. We'll do that too. I've never been certain that the router isn't over-reporting, but it does often coincide with noticeable network slowdowns, so something is going on. We have actually been threatened with DoS and virus and such by idiots on Steam, so when you add it all up, it does seem like something is happening. I'll do more internal c

Do you have Steam auto starting at powerup, and do you know how many games are attempting to synchronise their cloud backup data at startup?My router has fits and sometimes reboots after powering up my win7 PC. Trying to eliminate what could be flooding it, and so far Steam appears to be the only likely candidate.

More likely explanations:1) Someone in the family downloaded something that installed an open BitTorrent client/tracker, and your network is being used to host pirate files, porn, and/or documents from a terrorist cell. Most likely just Miley Cyrus MP3s though.2) You have uPnP open to the internet or one of your uPnP devices opened itself the internet.3) Your kid publicized your minecraft server's IP address on YouTube.4) You're being probed by random botnets.

The trouble is that this might not be really a attack, just a scan. Also a lot of routers have some firewall settings that migitate DoS attacks, but without any real possiblity to tune this, or even a good description if the thing in the log is anything important.

The fact that some log says there is a DoS attack does not mean there really is a attack. It only says there is a log.....

Most of dynamic addresses there translate to "ep-reverse.nimbus.bitdefender.net", and you say you use BitDefender, this - 63.228.223.103 - is "steamcommunity.com", and one with different port "205.188.155.221:995" is indeed a mail server as specified by port.

It very well might be just your router bullshitting you. Try asking at dslreports.com, or better yet, try searching there for similar problems.

And while something on your network being owned is a likely problem, that is not the only possible problem. You could have a bad nic that is spitting out bad packets. This is why we use managed switches on big networks.

If you have an old PC lying around or can borrow one, try putting up a real firewall, like pfsense. This will let you see more of what is entering and exiting your network. It doesn't have to be a permanent installation.

You may have a long log file with those messages, but look at the time stamps... Getting hit once every minute, sometimes every 5 or 10 minutes? That's not a DoS. You would need to see a lot of those per second for it to impact your connection. I would say that is likely just normal Internet chatter/scanning.

You are fine. That is normal background noise. Not really a DoS, just normal
probes, which are not frequent enough to be considered a DoS.
Ignore the terminolgy that netgear is using.
The slowness you encounter at times likely is upstream from you.
You should expect it in the evening.

The nature of a DOS attack (overwhelming your bandwidth / router with traffic) means it pretty much has to be handled upstream. Your ISP should be able to filter the traffic at their routers where they have the bandwidth / processing power to do so. Even if you get a super router it doesn't change the fact that they are using up your bandwidth with dud requests.

The thing about DoS attacks is that the attacker doesn't need, or want, any return packets, so they're free to spoof whatever "from" IP address they like.Bouncing packets "back where they came from" is a recipe for disrupting even more innocent parties.

We're in the middle of nowhere, the closest town being a small one. Honestly, we're lucky to have 20 mb DSL and the only other options are satellite and maybe (but probably not) WiMax. Or cell phone data (ouch). I will try to ferret out a list of IPs that claim to come from MS and Amazon and send a note to their abuse mails and see if they will do anything.

Lucky you can't get WiMax: your situation sounds like the way Clear works nightly: ISDN speeds for the crime of watching Netflix. Oh, you're not "capped". Certainly not. No, never.
Is there a possibility your logs are just port scans (which suck, but aren't a DDoS), and your problem is that you're being traffic-managed by the ISP? That would "follow you instantly".
I didn't think the log entries were close enough together in time to constitute a DDoS.

They said it didn't matter if they changed the IP address or MAC of the router. This means the attacker can track them across domains. They should try NOT playing the online games after changing the IP address and see if the DoS persists. Also if they are being DoS'ed then a Distributed Reflective DoS DRDoS is probably what's causing up to 5 spoofed SYN-ACK packets to be sent per single attacker's packet (SYN Amazon, spoofed target return IP, Amazon tries to complete the TCP handshake with the target). They didn't sign them up for anything, that's the nature of a reflective attack.

Coincidentally, the surefire way to protect against DRDoS is to simply use DR-DOS, [wikipedia.org] to play games that have far less chance of exposing you to assholes.

If you're really being DOS'ed with more bytes per second than your little DSL can take, there isn't much you can do to mitigate it on your side. Either your ISP helps out, or you change your IP and they *don't* find your new one (how are they finding it?), or you make them stop (fat chance).

I've seen some SOHO router's firmware sporting this alleged "DoS protection". I think it's just a marketing point. No idea of how the detection works but this sounds like a false positive to me. And wouldn't your ISP notice first too?

This is probably stuff running on VMs in Amazon or Azure cloud services. Users can create VMs with insecure passwords and they are often the target of attacks.

At least in Azure, you have to go out of your way to do so -- both the out-of-the-box Linux VMs and Windows VMs create your primary user account for you, and they do some reasonable password strength checks on it.

Most gaming services don't show other users your IP address as things like a DoS could happen. Unless they are the admins of the game or you are using a third party service that they have access to such as a Teamspeak/Ventrillo server, guild/forum web server, etc. Be careful of what you visit.
Also, even the best router is not going to stop your internet pipe from getting flooded with incoming packets.

Check your system *thoroughly* for malware - you might be a part of the zombie network i.e. your system is compromised and picking up orders from a master controller - then sending out spam, kiddie pr0n, and plans for 3d printed parts.

A good backdoor shouldn't overwhelm your network, but it's still worth checking.

My bet is that you are participating in some sort of P2P network, file sharing, Spotify... I don;t think you are being targeted due to gaming.

And how do they find us with a new MAC address and IP within minutes?

Assuming that this is indeed a malicious DoS attack, there is something inside your network that is tipping them off. P2P gaming software, chat software, malicious local software. There is no way for them to simply find you with a new external IP.

As others have already stated, the only way to mitigate a saturated pipe DoS is to filter upstream, your ISP or their ISP.

We seem to have attracted the attention of some less than savory types in online gaming

Followed by:

And how do they find us with a new MAC address and IP within minutes?

This is pretty obvious. The game is telling them. Not much of a gamer myself; but I'm willing to wager you can see the IP address from which a particular user is logged on. Maybe the game will let you cloak that. If it won't they can always find you again...

If its not the game itself, it could be other software.Skype in particular (on your PC, or on your smartphone on your wifi...)

Any number of other chat programs, p2p software, etc are suspect.

Rootkit/malware/backdoor is possible.

And that's all assuming its real, which, i don't know your level of sophistication. For all we know you just have an infected unit that's flooding your network, and you are mis-reading the overly "dangerous" sounding warnings crappy security constantly throws up to justify its existe

I'm not a gamer either, but i suspect most games are controlled by server connections with no p2p connectivity.

If I were building the kind of games you see depicted on Big Bang Theory, the gameplay would be through the server; but the chit-chat with the headphones would be p2p. There's no point routing all that chit-chat through the server. I guess you could play the game without the headphones; but it would be difficult to coordinate attacks with your partners.

When I thought about this a bit more, it occurred to me that the person being DoS'd should contact the game company. Now it gets interesting.

The game company has two aspects of its reputation to defend. 1. It doesn't want players being DoS'd. 2. It doesn't want to LART players based on spurious accusations.

That means it would have to make sure the suspect is guilty. They could have the user switch IP several times, and only display the new IP to the suspect. If displaying the new IP to the suspect resulted in the DoS being redirected, but displaying the new IP to other users didn't, then that seems like a smoking gun to me.

Now we get into the whole cost/benefit analysis for the game company to do something like that. It's probably easier just to log complaints against users, and pull the plug on people after N complaints. If say, 8 users from different walks of life have complained that X is DoS'ing them because he got pissed off, then there's a pretty good chance X is guilty. The best thing about this approach is that it works for all kinds of bad behavior, not just DoS'ing. You're going to have to handle complaints about users anyway, so there you have my answer for now:

Complain to the game company, but not until you've checked to make sure that something else isn't compromising your system..

Something is calling home to give away your ip quickly.
What computers and OSes are you using? What antivir?
A lot of anitvirus programs suck.
Shutdown everything. Force new WAN ip on router.
See if problem occurs with no devices on behind the router.
If it does, maybe it is the router that is running malware.
If still quiet, bring up one machine at a time behind the router
and wait a while before doing next machine.
Any wireless devices? Is your wifi *really* secured?

This. Antivirus programs don't stop/fix rootkits. You likely have a compromised computer that is a zombie. TDSSKiller is a good start, Combofix if you need to. I'd go to bleepincomputer.com's forum and ask around there. If you're reluctant to do so, then at the very least run malwarebytes' Anti-Malware on all your PC's ASAP.

If you are not actually _hosting_ the game (in which case you are f-ed, because you simply need to examine all the packets by yourself, but from the fact you were not talking about any server I somehow suppose that you are just connecting), carrier-grade or similar NAT perfectly solves this problem. Your ISP should be able to hide you in an inner network in no time this way.

1 unplug your gateway device (dsl modem) and your router2 on a know clean system download and create a Windows Defender Offline flashkey/dvd (you will need either or both of the 32 and 64 bit versions)3 shut down ALL of your computers4 make and have %meal% (don't forget the dishes)5 run WDO on one computer (make sure it completes successfully)6 plug in your dsl modem and wait for the blinky lights to settle7 plugin your router and wait for its blinky lights to settle8 plugin the computer that was scanned (a

Document what's happening as thoroughly as you can, and the whole history of the thing, and then go to the state police in your state. They may refer you to the FBI, and I'm guessing will not be all that eager to deal with the issue, but its a crime being committed against you and you should have the benefit of law enforcement to whatever degree they can feasibly help you. At the very least you will have documented what is happening and they'll know about it so that if the situation evolves they will have a

You more than likely have something "phoning home" that the bad guys are tracing back to you.

SO, to track that down, do this in exactly this order:

1. Prepare to reconfigure your router for new IP / MAC, but do not reboot it, yet. Make sure the router is NOT registering with some dynamic DNS service, if it is, that's probably part of the problem. Your ISP may be doing that for you, if so, ask them to change your reverse lookup name.

2. Power down every other computing device on the network. I'm assuming you have a wireless router? If so, track down everything that it connected to it, and power those down too. Save your most trusted device (an iPad perhaps?) for monitoring / reconfiging your router. If necessary, borrow a device from someone you trust.

3. Press "go" to reconfig the router, and observe. Your DOS should go away. If it does not, either the reconfig was unsuccessful, your ISP is somehow part of the problem, the router is registering itself somehow, or the router itself is infested.

4. Assuming the DOS abated, one by one, power up the devices you previously disconnected and observe. If the DOS starts after powering up a particular device, that's the culprit. There may be more than one. Do this slowly, to make sure as you power up a device, it's not waiting some period of time before calling home.

It would not be a bad idea to get your ISP on the phone, explain what you think is going on, and ask them to observe your traffic as you go through the above steps. If something "phones home", and you miss it, they should be able to see the traffic on their segment of the wire.

If you are successful at tracking down a culprit system, enlist the help of the anti-malware vendor in isolating the offending bits. Do this BEFORE you re-image the system. They would probably appreciate a sample. Of course, this assumes you are running anti-malware software on your endpoints.....

Unless you have some external name for your home connection (i.e. using dyndns or similar if your IP is dynamic), it is probably something you have in your network, like being part of a botnet node, having a misconfigured p2p client, or something that from inside announces itself to be accessed by others. Disable all the services that you know that access by itself outside (i.e. checking for software updates), and try to track all that you don't know that access outside by itself when the ip changes.

They could find you also because you have an easy to detect service that is exploitable. Knowing where they access and connect could be useful, even having a ip camera accessible from outside with a fixed admin password could be enough to cause that kind of behaviour. Considering that scanning the entire internet takes less than an hour [slashdot.org], a lot could be doing so all the time so anything exposed you have could be easily detected.

Having antivirus is no guarantee of safety, some malware could be active for years [arstechnica.com] before is even hinted that something could be there by AV companies (and probably US based security products will have hardcoded to not report anything that could look as NSA backdoor or malware). If well is not a guarantee of not catching malware, lower a lot the odds of it using Linux or even Mac OS X.

He's likely on an Internet connection that uses a bridged modem and DHCP to assign IP addresses. He would have to change the MAC of the router to appear to be a new device connecting on his ISP's network if he wanted a new public IP address.

Sounds More like an internal compromised machine. Use a live Linux CD, shutdown all other devices on your network except one PC. This includes phones tablets PCs etc. Reboot that remaining PC with the Linux CD. Reset the Mac address on your router to get a new IP. At that point you can be 100% sure that you don't have a compromised machine. If the flooding stops a machine is compromised, dimes to donuts that's the cause.

If you went out and got a new IP and within minutes they "found" you again, really? C'mon. If that's the case, you seemed to have pissed off the worlds greatest hacker. It's either that or there is a sustained attack on that block of IP's that your ISP is using for DHCP or static assignments, AND if THAT's the case, then your ISP is being DOS'ed.

But really, download a LiveCD and disconnect everything in your network except the box you use with the LiveCD and see if the issue dissapears. Then plug i

First Scenario: Trojan HorseOne or more machines on your network have been infected/trojaned/compromised somehow. Every time you switch your external IP address, the infected machine dutifully contacts it's nefarious overloards with the news. There's a good chance that one of your compromised machines may actually be part of a botnet. One important question is, "what conditions, specifically, trigger my router's 'DOS attack from xxx' in it's logs." Th

If they're getting to you within minutes, then they're getting help from inside. It may be as simple as your router being configured for Dynamic DNS, or one or more of your machines is compromised... or -- as others said, they may be getting info from your game server.

Rather than paying gigabucks for a hardware router/firewall, take an ancient machine, add a second ethernet card to it and install OpenBSD [openbsd.org] onto it.OpenBSD will do you as well as anything hardware based, in terms of protecting your network --

I mean look at that...there's 21 minutes worth of time passing in just 3 log entries, that's just plain old net noise.

It's more likely that your ISP is suffering backhaul congestion, or you are running a torrent client, or someone is DLing ultra pr0n at some insane rate or you left your wi-fi open and someone is hijacking it.

You are probably either the victim of a malware infection, or you're torrenting too much. If a machine on your network has been properly pwned (and this is a lot more likely than you being the target of a DDOS) then running AV on top of the OS most likely won't find the malware...Download and burn the Kaspersky Rescue CD, boot off that (a known-good OS) and scan your machines. Report back how much malware it found that everything else missed.If you're participating in a DDOS (or otherwise maxing out your upstream bandwidth - eg torrents) then uploading at the maximum throughput will have the side effect of dropping your download speed to the same as your upload speed.

Point 1: The fact that you mention mac addresses and dos in the same question shows that you do not know enough about networking to assess this situation properly.

Point 2: Home internet connections don't get DOSed. There is no profit in it to justify the the effort or risk. Anyone with the skill and capability to attack a network most certainly has better things to do.

Point 3: All of your symptoms fit perfectly with a local problem. None of them match a DOS very well.

You very likely have a compromised PC or a PC running something like torrents/other P2P software that isnt properly configured. Use up all your outbound bandwidth either way and you will have exactly the situation described.

obligatory: wtf is this doing on slashdot? Its a basic home user networking issue.

If I had to guess, the modem is holding onto the same IP address regardless of what you do with your router. Take a weekend trip and unplug your modem in hopes that it will pull a new address when you return. You could go upstream to your ISP with the issue and suggest the tech release your IP and assign you a new one.

If the attack continues, then you have something inside your network leaking information to the attacker. And you will have to clean that up before you can resolve the problem.

Executive summary: Welcome to the real world. Everybody with an "always on" connection is getting this kind of crap, it's just that most people don't realize it.

Discussion: We have a cable modem for internet service. I run a SSH honeypot (Kippo) to collect information on folks knocking on our door.

Friday morning, my Kippo honeypot recorded a dictionary attack run of 291 SSH login attempts (against root) in 12 minutes (from 178.141.148.236, look it up if you want). I don't even bother to record to record the crap coming against port 80.

This isn't unusual, not even for an IP address in a residential cable block! And the more you look for this kind of activity, like running a honeypot, or even reviewing your router logs, the more bewildered you'll become, particularly about how "normal" people's computers survive under these continuous attacks.

The answer, of course, is that so many do not, their home computers rooted within minutes of being connected to the net, or when a child in the household (using a Windows account with admin privileges) clicks on some enticing link in IE... Their computer gets added to one or more botnets, an eventually they toss it out because it's too slow.

Suggestions: Make sure your network is as secure as you can make it, then ask for help to make it better. Help those you care about do the same. Friends don't let friends use IE (or windows) is a good start.

Note: if someone on your network has been using P2P you may have to wait for a while when doing 2) since peers may still be trying to connect/respond to your router's IP. If it's still flashing like crazy after more than 30 minutes then you're probably being DoSed.

A few blinks every few seconds is not a DoS. Being DoSed = continuous blinking like a fast continuous data transfer.

I've checked the attached devices and seen nothing unexpected. Our wifi is as secure as I can make it with no SSID broadcast and a good password. I don't use any dynamic DNS stuff on purpose, though the possibility that we've a compromised machine has been mentioned. We have only two bits of evidence that it's really DoS: the router logs claiming it and network slow-downs at the same time.

Apparently the only thing that was required is for a bunch of idiots to decide the only way my husband could be beating them at the game is by cheating. Or possibly they don't even care that he doesn't cheat and just want to win by breaking competitors connections.

Anyway, I'm more concerned with how we're being found even when we're not gaming, and so far the best suggestions seem to be to reinstall everything and keep good virus/anti malw